CVE-2024-26859: net/bnx2x: Prevent access to a freed page in page_pool
In the Linux kernel, the following vulnerability has been resolved:
net/bnx2x: Prevent access to a freed page in pagepool
Fix race condition leading to system crash during EEH error handling
During EEH error recovery, the bnx2x driver's transmit timeout logic could cause a race condition when handling reset tasks. The bnx2xtxtimeout() schedules reset tasks via bnx2xsprtnltask(), which ultimately leads to bnx2xnicunload(). In bnx2xnicunload() SGEs are freed using bnx2xfreerxsgerange(). However, this could overlap with the EEH driver's attempt to reset the device using bnx2xioslotreset(), which also tries to free SGEs. This race condition can result in system crashes due to accessing freed memory locations in bnx2xfreerxsge()
799 static inline void bnx2xfreerxsge(struct bnx2x bp, 800 struct bnx2xfastpath fp, u16 index) 801 { 802 struct swrxpage swbuf = &fp->rxpagering[index]; 803 struct page page = swbuf->page; .... where swbuf was set to NULL after the call to dmaunmappage() by the preceding thread.
EEH: Beginning: 'slotreset' PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slotreset() bnx2x: [bnx2xioslotreset:14228(eth1)]IO slot reset initializing... bnx2x 0011:01:00.0: enabling device (0140 -> 0142) bnx2x: [bnx2xioslotreset:14244(eth1)]IO slot reset --> driver unload Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000025065fc Oops: Kernel access of bad area, sig: 11 [#1] ..... Call Trace: [c000000003c67a20] [c00800000250658c] bnx2xioslotreset+0x204/0x610 [bnx2x] (unreliable) [c000000003c67af0] [c0000000000518a8] eehreportreset+0xb8/0xf0 [c000000003c67b60] [c000000000052130] eehpereport+0x180/0x550 [c000000003c67c70] [c00000000005318c] eehhandlenormalevent+0x84c/0xa60 [c000000003c67d50] [c000000000053a84] eeheventhandler+0xf4/0x170 [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 [c000000003c67e10] [c00000000000cf64] retfromkernelthread+0x5c/0x64
To solve this issue, we need to verify page pool allocations before freeing.
Other sources
In the Linux kernel, the following vulnerability has been resolved:
net/bnx2x: Prevent access to a freed page in pagepool
The Linux kernel CVE team has assigned CVE-2024-26859 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024041735-CVE-2024-26859-a906@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-26859?
CVE-2024-26859 is classified as a high-severity vulnerability due to its potential to cause system crashes.
How do I fix CVE-2024-26859?
To fix CVE-2024-26859, upgrade to the patched kernel versions specified, such as 4.19.311, 5.4.273, or higher.
Which systems are affected by CVE-2024-26859?
CVE-2024-26859 affects various versions of the Linux kernel, specifically those before the mentioned remedial versions.
What is the nature of the vulnerability in CVE-2024-26859?
CVE-2024-26859 is a race condition vulnerability that can lead to accessing freed memory pages, causing crashes during error recovery.
Is there a workaround for CVE-2024-26859?
There are no effective workarounds for CVE-2024-26859, and applying the kernel updates is the recommended course of action.